@algolia/[email protected] rejected Risk: 48 No license 2026-02-17

@algolia/client-common @4.26.0

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Tarball

Risk Score

—

License

Install Scripts

Dependencies

Dev Dependencies

2.6 KB

Package Size

2026-02-17

Published

Maintainers

haroenvshortcutsfluf

Dependencies (2)

Package	Constraint	Registry Status
@algolia/transporter	4.26.0	auto_approved
@algolia/requester-common	4.26.0	auto_approved

Transitive Dependency Tree

4 transitive deps max depth 2

├─ @algolia/requester-common 4.26.0 → 4.26.0

├─ @algolia/transporter 4.26.0 → 4.26.0

├─ @algolia/cache-common 4.26.0 → 4.26.0

├─ @algolia/logger-common 4.26.0 → 4.26.0

├─ @algolia/requester-common 4.26.0 → 4.26.0

Changes from v5.48.1

Dependency Changes

Change	Package	Version
added	@algolia/transporter	4.26.0
added	@algolia/requester-common	4.26.0

Script Changes

- test- build- clean- test:bundle

File Changes

3 added 8 removed 2 modified size delta: -149.5 KB

Risk Dispositions (3 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`regressed-provenance`	provenance	reject	AI	AI (provenance): Provenance regression is a persistent signal for this package — any version published without CI/CD attestation after a history of having it should be rejected.
`missing-githead`	provenance	reject	AI	AI (provenance): Missing gitHead after a history of having it indicates a changed publish environment, consistent with compromise.
`publisher-changed`	provenance	reject	AI	AI (provenance): Publisher changed from GitHub Actions to a human account with no prior publishing history on this package. Generalizes as a disqualifier until the transition is verified.

SAST Findings (3)

HIGH Provenance attestation missing — previous versions had it provenance

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: fluf.

HIGH Publisher changed: GitHub Actions → fluf (on 2026-02-17) provenance

This version was published by a different npm account than previous versions on 2026-02-17. This could indicate a legitimate maintainer transition or an account compromise.

Review Summary

Risk score: 48. Findings: 1 high (+25), 2 medium (+20), 1 low (+3), 4 info (+0).

Published to npm: 2026-02-17